howto: block WiFi calling/IPSec from a single device

Nexus 5x WiFi calling woes got you down? "Cellular preferred" not doing what you want it to? Well, I've got your solution. The configs below should block all IPSec from your mobile device. Simply replace the IP address in the rules with the IP of your phone and you're good to go!

firewall {
    name BLOCK_WIFI_CALLING {
        default-action accept
        rule 1 {
            action reject
            description "drop ipsec nat traversal and SIP"
            destination {
                port 4500,5060,5061
            }
            log enable
            protocol tcp_udp
            source {
                address 192.168.1.77
            }
        }
    }
}
...
interfaces {
  ethernet eth0 { ... }  // WAN
  ethernet eth1 {        // LAN
    firewall {
      in {
        name BLOCK_WIFI_CALLING
      }
    }
  }
}

If anybody has a more elegant solution, I'd love to see it!